Attackers have been spreading the Lumma information-stealing malware using a fraudulent CrowdStrike domain registered just days after the massive global IT outage resulting from a faulty update of its Falcon platform, according to The Register.
Intrusions involved the use of the domain, crowdstrike-office365[.]com, to lure users into downloading a recovery tool purportedly addressing update-related boot loop issues but delivers a malware loader, which when executed eventually delivers the Lumma infostealer, which UNC5537 had leveraged to exfiltrate credentials to infiltrate Snowflake cloud storage instances, said CrowdStrike. Such a campaign may have been conducted by the same threat actors behind Lumma-spreading social engineering attacks last month that involved phishing emails and fraudulent Microsoft Teams help desk employee phone calls. "Based on the shared infrastructure between the campaigns and apparent targeting of corporate networks, CrowdStrike Intelligence assesses with moderate confidence that the activity is likely attributable to the same unnamed threat actor," researchers said.
